CVE-2026-44714

Name of the Vulnerable Software and Affected Versions bitcoinj versions prior to 0.17.1

Description The correctlySpends() function in core/src/main/java/org/bitcoinj/script/ScriptExecution.java contains two fast-path verification bugs affecting standard P2PKH (Pay-to-PubKey-Hash) and native P2WPKH (Pay-to-Witness-PubKey-Hash) spends. The library verifies an attacker-controlled signature and public-key pair but fails to confirm that the public key matches the one committed to by the output being spent. Consequently, any attacker keypair can satisfy local verification for arbitrary P2PKH and P2WPKH outputs. This issue does not affect the SPV (Simple Payment Verification) trust model, as that model follows Proof of Work and does not verify input signatures.

Recommendations Update to version 0.17.1.